Is there a way to update some of the individual packages loc cfml #box-products

Is there a way to update some of the individual pa...

Jason Ryan

09/06/2022, 9:46 PM

Is there a way to update some of the individual packages located in the bundle

root/.CommandBox/lib/runwar-4.7.7.jar

? This is box-light by the way. In my Lucee hardening adventure, the last two items striking some red flags are io.undertow:undertow-core
and
net.minidev:json-smart-mini
both of which are showing up as included in that .jar file.

bdw429s

09/06/2022, 10:24 PM

@Jason Ryan Are you on the lastest CommandBox because I just updated those libraries this week in the 5.6 release

Jason Ryan

09/07/2022, 3:26 PM

@bdw429s Just updated to 5.6.1 and it appears that

io.undertow:undertow-core

remains unchanged in its vulnerability status. But

net.minidev:json-smart-mini

is slightly different - This one no longer shows up under

runwar-4.7.7.jar

but it does come up under

/root/.CommandBox/lib/json-smart-mini-1.0.8.jar

Jason Ryan

09/07/2022, 3:26 PM

Curious what happens if I delete that

.jar

🤔

bdw429s

09/07/2022, 4:34 PM

@Jason Ryan What version of runwar do you have?

Jason Ryan

09/07/2022, 4:35 PM

Oh man I just realized I'm still installing the old version. That probably explains everything

Jason Ryan

09/07/2022, 4:35 PM

My bad 😞

bdw429s

09/07/2022, 4:37 PM

Yeah,, you should be on RUnwar 4.7.14

bdw429s

09/07/2022, 4:37 PM

I've bumped all the runwar java dependencies in last week's version

bdw429s

09/07/2022, 4:38 PM

With the exception of JBoss logging which I could only update to 3.4.4 as 3.5.0 has dropped Java 8 compat

Jason Ryan

09/07/2022, 4:41 PM

Or possibly that's the max version that has the vulnerability

bdw429s

09/07/2022, 4:43 PM

What's the CVE?

bdw429s

09/07/2022, 4:43 PM

There may have been something that came out that isn't fixed yet

bdw429s

09/07/2022, 4:43 PM

But I don't think I don't control the XNIO version-- Undertow bundles that

Jason Ryan

09/07/2022, 4:44 PM

CVE-2022-0084

Jason Ryan

09/07/2022, 4:44 PM

A flaw was found in XNIO, specifically in the notifyReadClosed method. The issue revealed this method was logging a message to another expected end. This flaw allows an attacker to send flawed requests to a server, possibly causing log contention-related performance concerns or an unwanted disk fill-up.

bdw429s

09/07/2022, 4:45 PM

7.5 seems unnecessarily high for something that just creates log entries 🤔

bdw429s

09/07/2022, 4:46 PM

All of CommandBox's logs automatically do rotation so that's not really a concern

Jason Ryan

09/07/2022, 4:46 PM

Good to know!

bdw429s

09/07/2022, 4:46 PM

Plus, I'm 99% sure the XNIO logs aren't even directed anywhere unless they are errors

bdw429s

09/07/2022, 4:48 PM

Yeah,

3.8.7

is the current stable release of XNIO

bdw429s

09/07/2022, 4:48 PM

There's no fix yet for that CVE

bdw429s

09/07/2022, 4:48 PM

So there's no way to upgrade it 🙂

Jason Ryan

09/07/2022, 4:48 PM

Gotcha. We can live with that 😄

bdw429s

09/07/2022, 4:48 PM

But I would say the exploitable area exposed by CommandBox would be very low or non-existent

Jason Ryan

09/07/2022, 4:49 PM

Right on 👍

bdw429s

09/07/2022, 4:49 PM

Pete pointed out this one to me the other day, and I am already planning on releasing as soon as there are any security fixes

Jason Ryan

09/07/2022, 4:49 PM

You da man!

bdw429s

09/07/2022, 4:49 PM

👍 Thanks for checking!

Jason Ryan

09/07/2022, 4:50 PM

Hey man glad I was able to help a bit 🙂

Open in Slack

Previous Next